From nobody Tue Jun 24 21:04:35 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bRcrz55Fvz60Gwh;
	Tue, 24 Jun 2025 21:04:35 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bRcrz3Dynz3xVq;
	Tue, 24 Jun 2025 21:04:35 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1750799075;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=n+r6YpqyjFhB0eKLgNSmYH16rwlfUR94j71/j3JLkF4=;
	b=MF/NrWF8b+iNqdj9kVf7wpWuqun0fLGkXuPG6Z8ZTIQsEek4rbPdzLjYi0C9GdWOx6gcUp
	2FcwjbWkRfjoUHyE9n+cIS+ouHLzTonVaopnMRh6dgcCGDYv0JaQbAdIY8yxCkRqIV0a7e
	n9Fq+lPYR1X16R3ffz4yf4yB/pjeddqueoJZXkAV3zEXQ1vZTXT+AVYoo/j6QCWcaiBzIO
	tuq/jmm4VQw7IGAIMO5kmopcBZdY4mocUWuYEIC2El3NmXY1D66wCoTzME6NJhuU2lFwN2
	fKWa6S46bGBMM2o7HgwjjKysBJpk/h/pj4t+oKc8QotCK10cAaE0W8o9qTkJ7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1750799075;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=n+r6YpqyjFhB0eKLgNSmYH16rwlfUR94j71/j3JLkF4=;
	b=R6KIVjoBOn5dZ9mr969lxD3jsHmfJuzk/69S7/dIhag8zTBhhpQskIsdcFY7oYKU83qGrF
	j62D+jTkMX9d2w16HQzq0Zx0JE3JoPskB4mbnTkZ3HcQZ33Y2+anqQc1MBPyzbNp013o6T
	oOvWF4zuDVLKLwR31QNlh2JVUBwRbGaTP8L2g2KZn7S+V+bmT+Wwtk0cSug/R+2H6fDzc2
	iFNmBKHMvQMY2CHKbLL6O6mxEGc4k5krH/D6sg3MBHi0C/mU4ABXif03ndYnMS8G0qHgwZ
	Uj5z61DC+4KXTa8f9+sxurMNvj2Z4g7FrKyKCwlV4L+oTesY+pCe5nV4h7XIrw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750799075; a=rsa-sha256; cv=none;
	b=JF0NtFX5mjoV+BfzHbvPvHMaYboN4YWkTlyLAfVn+qobWPFFd95wDMTweraf9e2DEVz28k
	hjgC4DiEmnIQ9xCoN7LCJzEL3tYwxHtynVq4yAsFjrqfCbTPRhuTBGDKWP01ozThZBeg07
	iEuN8MYP70YuJHNNX3v0emrxmEjcfTfo2B9InyM6fl95xQIwxAZC9JtlIeevaEC2HA9ELT
	Gjjbw7jSRMgYo/TNHtwXRJkZMy6Cpnkbygr7TipnQLLb3sSgGasFlnbEyOImglPQ74mg6l
	f/D8utDjX4KVLiN5tSa9Ia/mba2HJuPdvN4xryRb/Rhg1cBfDiaiGfXUhOFq3Q==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bRcrz2dfYz146M;
	Tue, 24 Jun 2025 21:04:35 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55OL4Z7X085242;
	Tue, 24 Jun 2025 21:04:35 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55OL4ZxO085239;
	Tue, 24 Jun 2025 21:04:35 GMT
	(envelope-from git)
Date: Tue, 24 Jun 2025 21:04:35 GMT
Message-Id: <202506242104.55OL4ZxO085239@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 350ba9672a7f - main - unix: Set O_RESOLVE_BENEATH on
  fds transferred between jails
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 350ba9672a7f4f16e30534a603df577dfd083b3f
Auto-Submitted: auto-generated

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=350ba9672a7f4f16e30534a603df577dfd083b3f

commit 350ba9672a7f4f16e30534a603df577dfd083b3f
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-06-24 20:05:37 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-06-24 21:04:24 +0000

    unix: Set O_RESOLVE_BENEATH on fds transferred between jails
    
    If a pair of jails with different filesystem roots is able to exchange
    SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs
    mount), a process in one jail can open a directory outside of the root
    of the second jail and then pass the fd to that second jail, allowing
    the receiving process to escape the jail chroot.
    
    Address this using the new FD_RESOLVE_BENEATH flag.  When externalizing
    an SCM_RIGHTS message into the receiving process, automatically set this
    flag on all new fds where a jail boundary is crossed.  This ensures that
    the receiver cannot do more than access files underneath the directory;
    in particular, the received fd cannot be used to access vnodes not
    accessible by the sender.
    
    PR:             262179
    Reviewed by:    kib
    MFC after:      3 weeks
    Differential Revision:  https://reviews.freebsd.org/D50371
---
 sys/amd64/conf/SYZKALLER |  5 +++++
 sys/kern/uipc_usrreq.c   | 31 +++++++++++++++++++++++--------
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/sys/amd64/conf/SYZKALLER b/sys/amd64/conf/SYZKALLER
new file mode 100644
index 000000000000..965841313616
--- /dev/null
+++ b/sys/amd64/conf/SYZKALLER
@@ -0,0 +1,5 @@
+include GENERIC-KASAN
+ident SYZKALLER
+
+options 	COVERAGE
+options 	KCOV
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 3f6535567e9d..72bd0246db11 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -56,7 +56,6 @@
  *	need a proper out-of-band
  */
 
-#include <sys/cdefs.h>
 #include "opt_ddb.h"
 
 #include <sys/param.h>
@@ -66,6 +65,7 @@
 #include <sys/fcntl.h>
 #include <sys/file.h>
 #include <sys/filedesc.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -3437,22 +3437,34 @@ unp_freerights(struct filedescent **fdep, int fdcount)
 	free(fdep[0], M_FILECAPS);
 }
 
+static bool
+restrict_rights(struct file *fp, struct thread *td)
+{
+	struct prison *prison1, *prison2;
+
+	prison1 = fp->f_cred->cr_prison;
+	prison2 = td->td_ucred->cr_prison;
+	return (prison1 != prison2 && prison1->pr_root != prison2->pr_root &&
+	    prison2 != &prison0);
+}
+
 static int
 unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags)
 {
 	struct thread *td = curthread;		/* XXX */
 	struct cmsghdr *cm = mtod(control, struct cmsghdr *);
-	int i;
 	int *fdp;
 	struct filedesc *fdesc = td->td_proc->p_fd;
 	struct filedescent **fdep;
 	void *data;
 	socklen_t clen = control->m_len, datalen;
-	int error, newfds;
+	int error, fdflags, newfds;
 	u_int newlen;
 
 	UNP_LINK_UNLOCK_ASSERT();
 
+	fdflags = (flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
+
 	error = 0;
 	if (controlp != NULL) /* controlp == NULL => free control messages */
 		*controlp = NULL;
@@ -3494,11 +3506,14 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags)
 				*controlp = NULL;
 				goto next;
 			}
-			for (i = 0; i < newfds; i++, fdp++) {
-				_finstall(fdesc, fdep[i]->fde_file, *fdp,
-				    (flags & MSG_CMSG_CLOEXEC) != 0 ? O_CLOEXEC : 0,
-				    &fdep[i]->fde_caps);
-				unp_externalize_fp(fdep[i]->fde_file);
+			for (int i = 0; i < newfds; i++, fdp++) {
+				struct file *fp;
+
+				fp = fdep[i]->fde_file;
+				_finstall(fdesc, fp, *fdp, fdflags |
+				    (restrict_rights(fp, td) ?
+				    O_RESOLVE_BENEATH : 0), &fdep[i]->fde_caps);
+				unp_externalize_fp(fp);
 			}
 
 			/*